last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Session expire time

This thread has been viewed 2 times
  • 1.  Session expire time

    Posted Feb 21, 2013 09:47 AM



    Step by step, my CP self-registration is going on but there is one thing I can't achieved. I would like that the guests can connect only one hour on the wifi and then are disconnected. I dont' want that the account expire, only the session. So the guests can login again with the same account. Is it possible ?


    In addition, I'd like to manage a five minutes break between each sessions ?





  • 2.  RE: Session expire time

    Posted Feb 21, 2013 01:39 PM

    I haven't tried this myself, but I wonder if it's possible to use the RADIUS attributes Session-Timeout and Terminate-Action to set the session time and then force reauthentication?  I'm not sure if the controller will allow the session timeout to be set by a RADIUS server, but this is certainly possible on a Cisco switch.

  • 3.  RE: Session expire time

    Posted Mar 01, 2013 05:17 AM


    Well - what is really your point behind making them re-connect?

    Is it the option to re-direct them to a landing portal with some info or ads you want them to see/click on?


    Depending on what you want to achieve I would just save the user the hassle, and just have them re-register to get a new password. The account will by default auto-update with a new password anyways, and not overwrite any parameter not filled in..


    But - that said...


    I haven't tried this myself, but you could most likely create a variation of the Enforcement Policy "Standard Guest Access" with a rule that terminates the session if more than 1 hour since last authentication.


    Inserted screenshot for configuration






    Note that if the user has already timed out in the Aruba Session ie. he has been idle more than 5 minutes (or whatever you've set user idle timeout to be) he will have to be re-authenticated through the portal anyways.


    Also.. You might want to use MAC-authentication and do the termination part there instead. Just same kind of rule starting out with the "MAC-caching 24hours" policy.


     Try it and let us know how it works out for you.



  • 4.  RE: Session expire time

    Posted Mar 01, 2013 06:21 AM



    I want to avoid guests to download movies or massive stuffs as IAPs are used as hotspot.


    I have tried to create a variation of the Enforcement Policy "Standard Guest Access" but I can't add the operator "GREATER_THAN_OR_EQUALS" => value is not correct.



  • 5.  RE: Session expire time

    Posted Mar 01, 2013 09:24 AM
    Strange. What version of CPPM are you using? I'm on
    The quota part you should do in CPPM & Guest

  • 6.  RE: Session expire time

    Posted Mar 01, 2013 09:27 AM



    Ok for the quota, so I need to make a new Enforcement Profile ?



  • 7.  RE: Session expire time

    Posted Mar 01, 2013 07:06 AM

    It saves fine for me - as you can see in the screenshot. Perhaps you've chosen the wrong Type?


    (Authorization:[Insight Repository]:Hours-Since-Auth GREATER_THAN_OR_EQUALS 1)



    But - for your purpose perhaps looking into quotas, bandwidth limits and firewall rules..


  • 8.  RE: Session expire time

    Posted Mar 03, 2013 03:55 PM

    To be honest - I don't really know how to do accounting based authentication in CPPM/CPGUEST 6.x.


    I used it previously in Amigopod/CP-Guest 3.9.x.

    Then it was more or less all described here:


    Now - just browsing through the menus I see an Enforcement Profile named "Guest Bandwith Limit". This is already referenced in the "Standard Guest Access" service so just changing the Profile parameter Allowed-Limit to something else should enforce it...



  • 9.  RE: Session expire time

    Posted Mar 01, 2013 07:13 AM

    It's a request of my customer but I will try and see about quotas, bandwidth. Can I configure both in CCPM or is it better in the VC of the IAP ?




    As you can see, I can't use GREATER_THAN_OR_EQUALS 1.




  • 10.  RE: Session expire time

    Posted Mar 04, 2013 02:02 AM

    Ok thanks, I'll try with those tools.



  • 11.  RE: Session expire time

    Posted Mar 04, 2013 04:23 AM

    I back,


    On CPPM, I can see this Enforcement Profiles used by the Guest Access service.




    I think it's what I need (session timeout) but I am not sure if it's the session or the account that is timeout. Moreover  I don't really understand how works the Value. Can I change it to something like 1 hour ?





  • 12.  RE: Session expire time

    Posted Mar 04, 2013 04:58 AM

    Ok so it's not what I want.




  • 13.  RE: Session expire time

    Posted Mar 04, 2013 04:37 AM

    I believe that parameter correlates to the Expiry Time of the user account which is set at creation. Changing the value in Enforcement Profile overrides that and doesn't give you the intended effect.

  • 14.  RE: Session expire time

    Posted Feb 22, 2013 01:55 AM

    Thanks, I have seen this but don't know how to use it exactly. Can you help me a bit ?

  • 15.  RE: Session expire time

    Posted Mar 01, 2013 03:39 AM

    A little up if someone more experienced than me can help to implement this.